From cee95461d15fac87ba01ddb63f0715099e985d4f Mon Sep 17 00:00:00 2001
From: Maycon Santos <mlsmaycon@gmail.com>
Date: Tue, 15 Oct 2024 15:03:17 +0200
Subject: [PATCH 1/4] [client] Add universal bin build and update sign workflow
 version (#2738)

* Add universal binaries build for macOS

* update sign pipeline version

* handle info.plist in sign workflow
---
 .github/workflows/release.yml |  4 ++--
 .goreleaser.yaml              |  3 +++
 .goreleaser_ui_darwin.yaml    |  3 +++
 client/ui/Info.plist          | 12 ------------
 4 files changed, 8 insertions(+), 14 deletions(-)
 delete mode 100644 client/ui/Info.plist

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b2e2437e6..1b85ec7ef 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.0.14"
+  SIGN_PIPE_VER: "v0.0.15"
   GORELEASER_VER: "v2.3.2"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "Wiretrustee UG (haftungsbeschreankt)"
@@ -223,4 +223,4 @@ jobs:
           repo: netbirdio/sign-pipelines
           ref: ${{ env.SIGN_PIPE_VER }}
           token: ${{ secrets.SIGN_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref }}" }'
+          inputs: '{ "tag": "${{ github.ref }}", "skipRelease": false }'
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index cf2ce4f4f..e718b3fcd 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -96,6 +96,9 @@ builds:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
 
+universal_binaries:
+  - id: netbird
+
 archives:
   - builds:
       - netbird
diff --git a/.goreleaser_ui_darwin.yaml b/.goreleaser_ui_darwin.yaml
index bccb7f471..0a0082075 100644
--- a/.goreleaser_ui_darwin.yaml
+++ b/.goreleaser_ui_darwin.yaml
@@ -23,6 +23,9 @@ builds:
     tags:
       - load_wgnt_from_rsrc
 
+universal_binaries:
+  - id: netbird-ui-darwin
+
 archives:
   - builds:
       - netbird-ui-darwin
diff --git a/client/ui/Info.plist b/client/ui/Info.plist
deleted file mode 100644
index 8441110b9..000000000
--- a/client/ui/Info.plist
+++ /dev/null
@@ -1,12 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-  <key>CFBundleExecutable</key>
-  <string>netbird-ui</string>
-  <key>CFBundleIconFile</key>
-  <string>Netbird</string>
-  <key>LSUIElement</key>
-  <string>1</string>
-</dict>
-</plist>

From 8c8900be57b76e40bedcb4c6c56d4a57d2afd9bf Mon Sep 17 00:00:00 2001
From: Viktor Liu <17948409+lixmal@users.noreply.github.com>
Date: Wed, 16 Oct 2024 17:35:59 +0200
Subject: [PATCH 2/4] [client] Exclude loopback from NAT (#2747)

---
 client/firewall/iptables/router_linux.go      |  4 +++-
 client/firewall/nftables/router_linux.go      | 15 +++++++++++++++
 client/firewall/nftables/router_linux_test.go | 12 ++++++++++++
 3 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/client/firewall/iptables/router_linux.go b/client/firewall/iptables/router_linux.go
index e60c352d5..129323928 100644
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -433,10 +433,12 @@ func (r *router) removeNatRule(pair firewall.RouterPair) error {
 
 func genRuleSpec(jump string, source, destination netip.Prefix, intf string, inverse bool) []string {
 	intdir := "-i"
+	lointdir := "-o"
 	if inverse {
 		intdir = "-o"
+		lointdir = "-i"
 	}
-	return []string{intdir, intf, "-s", source.String(), "-d", destination.String(), "-j", jump}
+	return []string{intdir, intf, "!", lointdir, "lo", "-s", source.String(), "-d", destination.String(), "-j", jump}
 }
 
 func genRouteFilteringRuleSpec(params routeFilteringRuleParams) []string {
diff --git a/client/firewall/nftables/router_linux.go b/client/firewall/nftables/router_linux.go
index 404ba6957..03526fee7 100644
--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
@@ -425,11 +425,15 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 	destExp := generateCIDRMatcherExpressions(false, pair.Destination)
 
 	dir := expr.MetaKeyIIFNAME
+	notDir := expr.MetaKeyOIFNAME
 	if pair.Inverse {
 		dir = expr.MetaKeyOIFNAME
+		notDir = expr.MetaKeyIIFNAME
 	}
 
+	lo := ifname("lo")
 	intf := ifname(r.wgIface.Name())
+
 	exprs := []expr.Any{
 		&expr.Meta{
 			Key:      dir,
@@ -440,6 +444,17 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 			Register: 1,
 			Data:     intf,
 		},
+
+		// We need to exclude the loopback interface as this changes the ebpf proxy port
+		&expr.Meta{
+			Key:      notDir,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpNeq,
+			Register: 1,
+			Data:     lo,
+		},
 	}
 
 	exprs = append(exprs, sourceExp...)
diff --git a/client/firewall/nftables/router_linux_test.go b/client/firewall/nftables/router_linux_test.go
index 25b7587ac..c07111b4e 100644
--- a/client/firewall/nftables/router_linux_test.go
+++ b/client/firewall/nftables/router_linux_test.go
@@ -69,6 +69,12 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 						Register: 1,
 						Data:     ifname(ifaceMock.Name()),
 					},
+					&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
+					&expr.Cmp{
+						Op:       expr.CmpOpNeq,
+						Register: 1,
+						Data:     ifname("lo"),
+					},
 				)
 
 				natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair)
@@ -97,6 +103,12 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 						Register: 1,
 						Data:     ifname(ifaceMock.Name()),
 					},
+					&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
+					&expr.Cmp{
+						Op:       expr.CmpOpNeq,
+						Register: 1,
+						Data:     ifname("lo"),
+					},
 				)
 
 				inNatRuleKey := firewall.GenKey(firewall.NatFormat, firewall.GetInversePair(testCase.InputPair))

From f942491b91d8d4627402512f5ec8ff5054a570f7 Mon Sep 17 00:00:00 2001
From: Emre Oksum <emreoksum@gmail.com>
Date: Wed, 16 Oct 2024 18:51:21 +0300
Subject: [PATCH 3/4] Update Zitadel version on quickstart script (#2744)

Update Zitadel version at docker compose in quickstart script from 2.54.3 to 2.54.10 because 2.54.3 isn't stable and has a lot of bugs.
---
 infrastructure_files/getting-started-with-zitadel.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure_files/getting-started-with-zitadel.sh b/infrastructure_files/getting-started-with-zitadel.sh
index 2c5c35d53..16b2364fb 100644
--- a/infrastructure_files/getting-started-with-zitadel.sh
+++ b/infrastructure_files/getting-started-with-zitadel.sh
@@ -873,7 +873,7 @@ services:
   zitadel:
     restart: 'always'
     networks: [netbird]
-    image: 'ghcr.io/zitadel/zitadel:v2.54.3'
+    image: 'ghcr.io/zitadel/zitadel:v2.54.10'
     command: 'start-from-init --masterkeyFromEnv --tlsMode $ZITADEL_TLS_MODE'
     env_file:
       - ./zitadel.env

From 96d22076849027e7b8179feabbdd9892d600eb5a Mon Sep 17 00:00:00 2001
From: Bethuel Mmbaga <bethuelmbaga12@gmail.com>
Date: Wed, 16 Oct 2024 18:55:30 +0300
Subject: [PATCH 4/4] Fix JSON function compatibility for SQLite and PostgreSQL
 (#2746)

resolves the issue with json_array_length compatibility between SQLite and PostgreSQL. It adjusts the query to conditionally cast types:

PostgreSQL: Casts to json with ::json.
SQLite: Uses the text representation directly.
---
 management/server/sql_store.go      | 12 ++++++++++--
 management/server/sql_store_test.go | 13 +++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/management/server/sql_store.go b/management/server/sql_store.go
index de3dfa945..47395f511 100644
--- a/management/server/sql_store.go
+++ b/management/server/sql_store.go
@@ -1154,8 +1154,16 @@ func (s *SqlStore) GetGroupByID(ctx context.Context, lockStrength LockingStrengt
 func (s *SqlStore) GetGroupByName(ctx context.Context, lockStrength LockingStrength, groupName, accountID string) (*nbgroup.Group, error) {
 	var group nbgroup.Group
 
-	result := s.db.WithContext(ctx).Clauses(clause.Locking{Strength: string(lockStrength)}).Preload(clause.Associations).
-		Order("json_array_length(peers) DESC").First(&group, "name = ? and account_id = ?", groupName, accountID)
+	// TODO: This fix is accepted for now, but if we need to handle this more frequently
+	// we may need to reconsider changing the types.
+	query := s.db.WithContext(ctx).Clauses(clause.Locking{Strength: string(lockStrength)}).Preload(clause.Associations)
+	if s.storeEngine == PostgresStoreEngine {
+		query = query.Order("json_array_length(peers::json) DESC")
+	} else {
+		query = query.Order("json_array_length(peers) DESC")
+	}
+
+	result := query.First(&group, "name = ? and account_id = ?", groupName, accountID)
 	if err := result.Error; err != nil {
 		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
 			return nil, status.Errorf(status.NotFound, "group not found")
diff --git a/management/server/sql_store_test.go b/management/server/sql_store_test.go
index 20e812ea7..000eb1b11 100644
--- a/management/server/sql_store_test.go
+++ b/management/server/sql_store_test.go
@@ -1251,3 +1251,16 @@ func TestSqlStore_UpdateAccountDomainAttributes(t *testing.T) {
 	})
 
 }
+
+func TestSqlite_GetGroupByName(t *testing.T) {
+	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "testdata/extended-store.sql", t.TempDir())
+	t.Cleanup(cleanup)
+	if err != nil {
+		t.Fatal(err)
+	}
+	accountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
+
+	group, err := store.GetGroupByName(context.Background(), LockingStrengthShare, "All", accountID)
+	require.NoError(t, err)
+	require.Equal(t, "All", group.Name)
+}